Browse files

Added prelim files for final project LaTeX.

  • Loading branch information...
1 parent ac72c03 commit f0489bee9cc0208faf9e4910d730613de51c6ed5 Paul Pham committed Mar 18, 2011
@@ -0,0 +1,13 @@
+In this project, I critique the public-key quantum money scheme of
+\cite{Farhi2010} based on the hardness of finding equivalent
+mathematical knots and creating a weighted superposition of
+corresponding grid diagrams that correspond to the same Alexander
+I sketch a loose upper bound for the damage to a valid
+money state from the verification procedure and characterize the
+desired behavior of Markov chain mixing in order to distinguish
+valid and invalid money states with a polynomial number of trials.
+In conclusion, I propose extensions to this work to create
+a more concrete scheme and to defend against future attacks.
@@ -0,0 +1,49 @@
+\section{Possible Attacks}
+Since this scheme of quantum money from knots is based on conjectures, this
+points the way to several future attacks.
+\item Reverse engineering from the Alexander polynomial $p$. If the attacker
+could easily find all equivalent grid diagrams to a single "canonical" grid
+diagram corresponding to the serial number, he could create the correctly
+weighted superposition to duplicate $\ket{\$_p}$. Call
+$\mathcal{G}_{2\overline{D}}$ the set of all grid diagrams of up to size
+The attacker could enumerate over
+exponentially many grid moves within $\mathcal{G}_2\overline{D}$,
+or he could enumerate over all grids in $\mathcal{G}_2\overline{D}$ assuming
+he has an oracle for determining if two grid diagrams are equivalent.
+Both would take exponential time.
+Alternatively, suppose that a polynomial time algorithm exists to extract from
+each grid diagram
+(encoded in $O(\overline{D}^2)$
+bits) either the moves to get to all but exponentially many equivalent
+diagrams or (even more unlikely) the equivalent diagrams themselves.
+We would have to be able to upper bound the number of equivalent grid diagrams to
+also be $O(\overline{D}^2)$, which we currently don't know how to do.
+It turns out that a certain class of states can be efficiently copied, which
+includes the eigenstates of some classical reversible circuit.
+A special case of this
+are the states $\ket{\psi_{n,k}}$ used to enact arbitrary controlled phase
+rotations in the quantum compiling algorithm of Kitaev, Shen, and Vyalyi
+\cite{KSV02}, where the state to copy (say $\ket{\psi_{n,1}}$ which is hard
+to produce) is of the
+same form as the "empty" register to hold the new copy ($\ket{\psi_{n,0}}$, which
+is easy to produce). As in
+\ket{\psi_{n,1}}\otimes\ket{\psi_{n,0}} \rightarrow
+If it turns out that weighted superpositions of equivalent
+grid diagrams are within that class of states, then the valid money state
+$\ket{\$_p}$ could be copied into an entangled pair
+$\ket{\$_p} \otimes \ket{\$_p}$
+can somehow be used toese are somehow encoded in the grid diagram itself,
+waiting to be extracted.
+he might be able to somehow extractEven if he is given an
+oracle to
+come up with a "canonical" grid diagram corresponding to the serial number and
@@ -0,0 +1,52 @@
+\section{Damage from Measuring Valid Money States}
+In Step 3, we are cutting off the tails of the Gaussian distribution
+to eliminate a certain class of equivalent knot diagrams with size close
+to $2\overline{D}$ or $2$ which are easy to create due to the edge cases
+in our Markov chain moves. Otherwise, these easily forgeable states would
+pass Step 4. How do we know this projection won't significantly damage a valid
+money state?
+First let's define the set of all equivalent
+grid diagrams $G$ with Alexander polynomial $p$ and with dimension outside
+the cutoff regions:
+\mathcal{G} = \{
+G:A(G)=p \land d(G) \in
+[2, \frac{\overline{D}}{2})
+\cap (\frac{3\overline{D}}{2},2\overline{D}]
+Then lets take the norm of the difference between the original valid money state
+$\ket{\psi}$ and the same state after its tails have been cut off,
+$\ket{\tilde{\psi}}$, which ends up just being the sum of the coefficients
+of grid diagrams in $\mathcal{G}$.
+|| \ket{\psi} - \ket{\tilde{\psi}} || \le
+\sum_{G \in \mathcal{G}} (\sqrt{q(d(G))})^2
+Recall that $q(d)$ is designed to be a Gaussian distribution with
+standard deivation $\sqrt{\overline{D}}/2$, which we can recenter to zero mean.
+Then we
+can calculate the area under the distribution from
+$\frac{\overline{D}}{2}$ to $\frac{3\overline{D}}{2}$ using the error function:
+F(\mu + n\sigma; \mu, \sigma^2) - F(\mu - n\sigma; \mu, \sigma^2) =
+\Phi(n) - \Phi(-n) \\ = \textrm{erf}(\frac{n}{\sqrt{2}}) =
+Here, $n = \sqrt{\overline{D}}/2$, and we can approximate the
+error function by:
+erf(\frac{\overline{D}}{2\sqrt{2}}) =
+\sqrt{1 - \exp(-\Omega(\overline{D}^2))} = 1 - \exp(\Omega(\overline{D}^2))
@@ -0,0 +1,58 @@
+\section{Future Extensions}
+To extend this scheme or prove it secure, we would need a better
+understanding of knots and quantum algorithms for them. The
+two obvious future extensions are to come up with a quantum algorithm
+for knot equivalence to attach the security of this scheme directly or
+to prove an eigenvalue gap for the Markov chain in the verification
+scheme. Aside from those, here are a
+few other interesting directions:
+\item Current schemes do not address the demand for currency.
+For a given security parameter $\overline{D}$,
+are there sufficiently many Alexander polynomials (serial numbers)
+available to supply the world with enough quantum bills?
+To do this, we would need to lower-bound the number of
+different knots that can be embedded in grid diagrams of up to size
+$2\overline{D}$, not including the unknot which has empirically been shown
+occupy the vast majority of grid diagrams.
+Quantum bills and coins currently have no denomination associated with
+them and so are of unit value.
+Is it possible to associate a denomination with quantum money, or to have
+it be dividable or combinable?
+It turns out that a certain class of states can be efficiently copied, which
+includes the eigenstates of the addition operator, $\ket{\psi_{n,k}}$,
+used to enact arbitrary controlled phase
+rotations in the quantum compiling algorithm of Kitaev, Shen, and Vyalyi
+\cite{KSV02}. The state to copy (say $\ket{\psi_{n,1}}$, which is hard
+to produce), but is of the
+same form as the "empty" register to hold the new copy
+($\ket{\psi_{n,0}}$, which
+is easy to produce). As in
+\ket{\psi_{n,1}}\otimes\ket{\psi_{n,0}} \rightarrow
+If it turns out that weighted superpositions of equivalent
+grid diagrams are within that class of states, then the valid money state
+$\ket{\$_p}$ could be copied into an entangled pair
+$\ket{\$_p} \otimes \ket{\$_p}$, either have of which would pass
+Interesting results which have emerged since the main paper \cite{Farhi2010}
+include a new online attack for Wiesner's original scheme
+\cite{Lutomirski2010} which involves the bank returning bogus bills.
+Incidentally, the related work \cite{Lutomirski 2010} addresses this same
+concern of a mint artificially inflating currency by releasing additional bills,
+and then sketches a solution using a \emph{collision-free} quantum money
+However, if one is not satisfied with the hardness of finding a connecting
+sequence of Reidemeister moves between any two grid diagrams, we can increase
+the hardness even further by embedding knots into three dimensions, using
+so-called \emph{cube diagrams}\cite{Baldridge2009}.
@@ -0,0 +1,41 @@
+General quantum states cannot be cloned, but this apparent
+algorithmic disadvantage can be turned into a cryptographic advantage.
+Money is a common implementation of a
+real-life, physical one-way function:
+we want valid bills and coins to be easily creatable (via a
+\emph{minting algorithm} possibly with some classical secret) by a central
+bank but easily checkable (by a public \emph{verification algorithm})
+by anyone with access to a quantum computer.
+This project provides a critical summary of a recent proposed
+ quantum money scheme based on the properties
+mathematical knots \cite{Farhi2010}.
+The interested reader is referred to that paper for
+a good summary of prior work.
+While a promising approach, this scheme's Markov-chain-based
+verification algorithm is incomplete
+and may not be able to distinguish valid and invalid quantum money states.
+First, we briefly review knots and how they are used
+in the minting algorithm to create valid money states.
+Second, we move on to the main part of this paper, the dissection of the
+verification algorithm, including a calculation bounding how much
+damage is done to a valid money state and a discussion about our
+desired mixing properties for the Markov chain part.
+Then we expand upon existing attacks for this scheme.
+Finally, we conclude with future extensions to this exciting work to
+make the scheme more concrete.
+%\section{Related Work}
+%The unforgeability of quantum money was studied as early as Wiesner
+%\cite{}. Although his scheme provides information-theoretic security
+%in the sense of relying directly on the laws of physics, it has the
+%severe disadvantage of involving the mint in every transaction.
+%Ideally, we would like our quantum money to be publicly verifiable, that is,
+%without resorting to the trusted authority for every interaction.
+%Aaronson proved that public-key quantum money was possible relative to an oracle
@@ -0,0 +1,19 @@
+\section{Knots and Grid Diagrams}
+Knots are three-dimensional mathematical objects analogous to a (directed) string
+that can be arbitrarily tangled with itself. Knots can be projected into
+two-dimensions where every string crossing is drawn as solid (the overcrossing
+segment) or broken (the undercrossing segment). However, string is a loose
+and messy analogy to deal with. To discretize knots into a useful computational
+tool, we can embed them into two-dimensional $d \times d$ grid diagrams,
+containing $d$ each of $X$ and $O$ markers, with exactly one of each in every
+column and row.
+A link is a collection of
+one or more directed knots, possibly separable.
+If a link is separable, or if a link is the unknot the Alexander polynomial of
+its corresponding grid diagrams is 0.
+Just as knots are invariant under Reidemeister moves,
+the Alexander polynomial is an invariant of knots embedded in grid diagrams
+under equivalent moves.
@@ -0,0 +1,56 @@
+\section{Markov Chain Mixing to Distinguish Money States}
+In Step 4 of the verification scheme, we apply a Markov chain
+$\hat{B}$ and then
+project onto its +1 eigenstates. This depends on valid money states
+being very close to +1 eigenstates of $\hat{B}$, much closer than
+the eigenstates corresponding to invalid money.
+Valid money states cannot be exactly +1 eigenstates, because those
+include mixing from grid diagrams in $\mathcal{G}$ above,
+with size in the tails that we cut off in Step 3. Therefore, our only
+hope is that the eigenvalues for $\ket{\$_p}$ being exponentially
+close to one and the eigenvalues for all other states being at least
+polynomially farther away.
+Unfortunately, we don't understanding enough about knots to make that
+claim for this particular Markov chain. This is the biggest open
+question and avenue for attack in our knot-based scheme.
+In particular, we don't know
+the eigenvalue gap, if any, between the lowest eigenvalue of
+a $\ket{\$_p}$ (call it $(1-a), a \in [0,1)$) and the highest eigenvalue of any other
+eigenstates (call it $(1-b), b \in [0,1)$). We are guaranteed to be exponentially close
+to some eigenstate of $\hat{B}$ after calculating and measuring the
+Alexander polynomial in Step 2 above.
+However, as dreamers, we can imagine what desirable properties we would
+like to prove for $\hat{B}$. First, we would like $b > a$, so that
+there is a gap. First, we would like to show that $a$ is
+small, so a $\ket{\$_p}$ doesn't degrade under
+$r$ repetitions of Markov chain verification and still projects
+to a +1 eigenstate with high probability.
+a = \frac{1}{\exp(\Omega(\overline{D}))}
+Second, we would like to show that $b$ is polynomially away from 1, so
+that under $r$ repetitions of Markov chain verification, it
+projects to a +1 eigenstate with low probability.
+b = \frac{1}{\Omega(\overline{D})}
+We would like to show that difference in probabilities increases
+exponentially close to 1 with $r$:
+(1-a)^r - (1-b)^r \ge (1 - ra) - (1 - rb) \\
+= r(b-a) =
+\frac{1}{\exp(\Omega(\overline{D}))} - \frac{1}{\Omega(\overline{D})}
+Therefore, if $(b-a)$ also increases exponentially closer to 1, we can
+get away with $r = \textrm{poly}(\overline{D})$ repetitions, so that our
+Markov chain verification procedure is tractable.
@@ -0,0 +1,58 @@
+\section{Quantum Money}
+Consider notes which consist of a quantum state $\ket{\$_p}$ in
+a fixed basis $\mathcal{B}$
+and a classical serial number $p$,
+together with a global classical function $A$ which computes
+$p$ from the basis states. $\ket{\$_p}$ is a (possibly weighted) superposition
+of basis states $\ket{G}$ which are equivalent in the sense that they all map
+to the same value.
+\ket{\$_p} = \frac{1}{\sqrt{N}} \sum_{G:A(G)=p} q_G \ket{G}
+With respect to some security parameter $\overline{D}$,
+we would like a different serial number $p$ to be produced each time
+with probability exponentially close to 1 to prevent forgery through
+of the minting algorithm. For each $p$, or even from each $\ket{G}$ where
+$A(G)=p$, it should be difficult to find all equivalent basis states and
+to forge their superposition. We will see later that it is useful to
+shape the weights $q_G$ of the superposition, rather than have uniform
+distribution. So how do we do this? Two words: knots, maybe.
+Knots are like a loop of string which can be arbitrarily tangled
+itself in three dimensions. We
+can represent them in two-dimensions with $d \times d$
+\emph{grid diagrams}, where strands
+pass vertically and horizontally between $d$ \textsf{X} and
+$d$ \textsf{O} markers,
+one of each kind of marker in each column and row.
+Equivalently, we can encode a grid diagram purely through
+a pair of disjoint permutations $\Pi_{\textsf{X}}$
+and $\Pi_{\textsf{O}}$ on the integers $\{1, \ldots, d\}$.
+An Alexander polynomial can be computed for each knot based on its
+crossings and is invariant under the Reidemeister moves. Therefore,
+all grid diagrams of the same knot have the same Alexander polynomial
+and can be transformed into one another.
+However, it is conjectured to be hard (even for a quantum computer, on
+average) to be able to generate all such equivalent
+grid diagrams, or even more simply to determine if two grid diagrams are
+equivalent. However, we can easily create a quantum
+superposition of all grid encodings, compute their Alexander polynomials
+$p$ into a second register, then measure $p$ to be left with the
+superposition of all corresponding equivalent grid diagrams.
+This one-wayness, due to quantum measurement, combined with the classical
+one-wayness of digitally signing $p$, result in the one-wayness of
+the minting algorithm.
+Based on the leading notation above, you have probably guessed that the
+basis $\mathcal{B}$ consists of all grid diagrams of size $d$ which ranges
+from $2$ to $2\overline{D}$. The size of a grid diagram is
+denoted as $d(G)$.
Oops, something went wrong.

0 comments on commit f0489be

Please sign in to comment.